Overview
On or before December 4, 2021, HITRUST will introduce a new feature in MyCSF to allow Assessed Entities to preview the effects of upgrading the CSF version or making any other changes which impact the composition of a HITRUST CSF Validated or Readiness Assessment before the change is made.
Update: This feature is now available.
CSF Version Upgrade for a HITRUST CSF Validated or Readiness Assessment
Consistent with the CSF Versioning Policy announced in HAA 2021-005, all new versions of the HITRUST CSF will be displayed in MyCSF using the versioning syntax of v[Major].[Minor].[Errata]. In order to provide further transparency into the updates introduced in each new major, minor, and errata version of the CSF, MyCSF will allow Assessed Entities to preview the effects of upgrading their assessment to a new CSF version. The MyCSF preview functionality provides a high-level summary and a detailed report of all modifications that would result from upgrading the CSF version utilized for a particular assessment.
The Assessed Entity may preview and upgrade the CSF version at any time while the assessment is in the Answering Assessment state prior to any assessment domains being submitted to the External Assessor for validation.
If any new major, minor, or errata versions of the CSF are available, MyCSF displays the upgrade options to the Assessed Entity upon accessing any of the following pages:
- Organization Information
- Assessment Options
- Systems
- Facilities
- Default Scoring Profile
- Factors
The upgrade options could include the following based upon the version of the CSF that the assessment currently utilizes:
- The most recently released errata version for the same minor CSF version that the assessment is currently utilizing (Example: v9.5.0 to v9.5.1)
- The most recently released minor version for the same major CSF version that the assessment is currently utilizing (Example: v9.4 to v9.5.1)
- The most recently released major version of the CSF (Example: v8 to v9.5.1)
The Assessed Entity is presented with the option to preview the differences between their current assessment and the assessment that would be created upon upgrading to the version of the library selected by the Assessed Entity. MyCSF displays a high-level summary of the differences, and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:
- Addition, Removal, or Modification of a Requirement Statement
- Modification of a Requirement Statement’s Illustrative Procedure
- Factor Added or Removed from a Requirement Statement
- Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
- Modification of the Control Level Implementation of a Requirement Statement
- Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
- Modification of a Requirement Statement’s Assessment Domain
After previewing the changes, the Assessed Entity has the option to either proceed with updating the CSF Version or to not apply the update.
Previewing a change to the composition of a HITRUST CSF Validated or Readiness Assessment
The preview functionality described above is also available at any time that the Assessed Entity attempts to make a change within MyCSF which will result in a modification to the composition of their HITRUST CSF Validated or Readiness Assessment. Examples of these changes include:
- Changing a Factor response
- Changing the following options on the Assessment Options page
- Would you like only the controls required for certification or ALL CSF security controls?
- Include privacy controls?
When making such a change to the assessment, MyCSF displays a high-level summary of the differences and the Assessed Entity is presented with the option to download a detailed report of all modifications to the assessment including, but not limited to:
- Addition, Removal, or Modification of a Requirement Statement
- Modification of a Requirement Statement’s Illustrative Procedure
- Factor Added or Removed from a Requirement Statement
- Addition or Removal of an Authoritative Source Mapping for a Requirement Statement
- Modification of the Control Level Implementation of a Requirement Statement
- Modification of a Requirement Statement’s Control Reference, Control Objective, and / or Control Category
- Modification of a Requirement Statement’s Assessment Domain
After previewing the changes, the Assessed Entity has the option to either proceed with making the previewed changes or to not apply them.
Implementation
The CSF version upgrade and preview functionality described above will be implemented for all HITRUST CSF Validated and Readiness Assessments on or before December 4, 2021.
Update: This feature is now available.